Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

From: Rusty Russell <rusty@rustcorp.com.au>
To: David Howells <dhowells@redhat.com>
Cc: mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
	dmitry.kasatkin@gmail.com, mcgrof@suse.com,
	linux-kernel@vger.kernel.org, dhowells@redhat.com,
	seth.forshee@canonical.com,
	linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
Date: Sat, 16 May 2015 08:21:56 +0930	[thread overview]
Message-ID: <87d221laib.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>

David Howells <dhowells@redhat.com> writes:
> Hi Rusty,

Hi David,

        I try to stick my nose into patches which touch module.c/h: this
doesn't, so am happy for this via another tree (AFAICT doesn't even need
my ack).

Thanks,
Rusty.

> Here's a set of patches that does the following:
>
>  (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension.
>      We already extract the bit that can match the subjectKeyIdentifier (SKID)
>      of the parent X.509 cert, but we currently ignore the bits that can match
>      the issuer and serialNumber.
>
>      Looks up an X.509 cert by issuer and serialNumber if those are provided in
>      the AKID.  If the keyIdentifier is also provided, checks that the
>      subjectKeyIdentifier of the cert found matches that also.
>
>      If no issuer and serialNumber are provided in the AKID, looks up an X.509
>      cert by SKID using the AKID keyIdentifier.
>
>      This allows module signing to be done with certificates that don't have an
>      SKID by which they can be looked up.
>
>  (2) Makes use of the PKCS#7 facility to provide module signatures.
>
>      sign-file is replaced with a program that generates a PKCS#7 message that
>      has no X.509 certs embedded and that has detached data (the module
>      content) and adds it onto the message with magic string and descriptor.
>
>  (3) The PKCS#7 message (and matching X.509 cert) supply all the information
>      that is needed to select the X.509 cert to be used to verify the signature
>      by standard means (including selection of digest algorithm and public key
>      algorithm).  No kernel-specific magic values are required.
>
>  (4) Makes it possible to get sign-file to just write out a file containing the
>      PKCS#7 signature blob.  This can be used for debugging and potentially for
>      firmware signing.
>
>  (5) Extract the function that does PKCS#7 signature verification on a blob
>      from the module signing code and put it somewhere more general so that
>      other things, such as firmware signing, can make use of it without
>      depending on module config options.
>
> Note that the revised sign-file program no longer supports the "-s <signature>"
> option as I'm not sure what the best way to deal with this is.  Do we generate
> a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert?  I
> lean towards the latter.  Note that David Woodhouse is looking at making
> sign-file work with PKCS#11, so bringing back -s might not be necessary.
>
> They can be found here also:
>
> 	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>
> and are tagged with:
>
> 	modsign-pkcs7-20150515
>
> Should these go via the security tree or your tree?
>
> David
> ---
> David Howells (7):
>       X.509: Extract both parts of the AuthorityKeyIdentifier
>       X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
>       PKCS#7: Allow detached data to be supplied for signature checking purposes
>       MODSIGN: Provide a utility to append a PKCS#7 signature to a module
>       MODSIGN: Use PKCS#7 messages as module signatures
>       system_keyring.c doesn't need to #include module-internal.h
>       MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
>
> Luis R. Rodriguez (1):
>       sign-file: Add option to only create signature file
>
>
>  Makefile                                  |    2 
>  crypto/asymmetric_keys/Makefile           |    8 -
>  crypto/asymmetric_keys/pkcs7_trust.c      |   10 -
>  crypto/asymmetric_keys/pkcs7_verify.c     |   80 ++++--
>  crypto/asymmetric_keys/x509_akid.asn1     |   35 ++
>  crypto/asymmetric_keys/x509_cert_parser.c |  142 ++++++----
>  crypto/asymmetric_keys/x509_parser.h      |    5 
>  crypto/asymmetric_keys/x509_public_key.c  |   86 ++++--
>  include/crypto/pkcs7.h                    |    3 
>  include/crypto/public_key.h               |    4 
>  include/keys/system_keyring.h             |    5 
>  init/Kconfig                              |   28 +-
>  kernel/module_signing.c                   |  212 +--------------
>  kernel/system_keyring.c                   |   51 +++-
>  scripts/Makefile                          |    2 
>  scripts/sign-file                         |  421 -----------------------------
>  scripts/sign-file.c                       |  212 +++++++++++++++
>  17 files changed, 578 insertions(+), 728 deletions(-)
>  create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
>  delete mode 100755 scripts/sign-file
>  create mode 100755 scripts/sign-file.c